Publicised by security company Secunia, the flaw affect the range of browsers using the open source Gecko browser kernel. Anyone using an affected browser would be able to visit spoofed websites without being aware of it, something that would aid any crime based on setting up bogus websites, such as phishing sites.

The flaw arises from the way the browsers resolve web addresses that include international characters in International Domain Name (IDN) URLs. Russian researchers Evgeniy Gabrilovich and Alex Gontmakher first outlined the potential for such a spoofing issue in 2002, in what was then a theoretical paper, The Homograph Attack. Exploiting the hole could, they reasoned, allow them to register a "homographic" variant of www.microsoft.com that included Unicode/UTF-8-defined Russian characters similar to certain ASCII characters.

They speculated that some browsers would either resolve these characters in a garbled way or would, as has turned out to be the case, present them as if the registered domain was actually the real microsoft.com. Users could also be fooled into believing the bogus site was protected by an SSL certificate when it wasn’t.

There is no patch for the vulnerability though users can at least test browsers for it on the Secunia website.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.